This project will provide solutions to multiple problems. The first one is the security of information technology. The range of issues addressed includes zero-day exploits (e.g., WannaCry ransomware), denial of service attacks (e.g., Mirai), hardware attacks (e.g., based on the Meltdown and Spectre CPU flaws) up to novel types of hardware Trojans. The possibilities for these attacks originate from weaknesses in the long IT supply chains and threaten the confidentiality, integrity, and availability of systems.

The second problem is that these attacks can also threaten the safety of products, e.g., in energy infrastructures or in the automotive industry.

The third problem lies in the  loss of value added because of a migration of production and competences towards competing economies (e.g., US and China). Sovereignty would mean to have full control of the characteristics of information technology, to be sure that no hidden features are implemented, that no business secrets can be stolen, and to benefit economically from such control.

These objectives are difficult to meet because any component involved in the supply chain may have multiple flaws, possibly even due to problems in the development tools used. Furthermore, while more secure components will reduce overall costs, developing them may initially increase costs. Hence, regulation making secure systems mandatory can help because competing companies would operate under the same conditions. Since other parts of the world are also working on controlling the supply chains, research on options and there implementation in industry is indispensable.

The project will include the following activities:

• Risk analysis
• Exploration of technical options, such as (1) the control of the entire supply chain, from the application layers through to the operating system and the hardware and tools used; (2) open, certified and proven paths; (3) migration paths of solutions, e.g., from small systems to large ones
• Exploration of supportive economic and legislative actions
• Contribution to setting up a transition process and participation in the development of prototypes
• Discussion of results, involving stakeholders, and refinement of options, prototypes, and product visions

The objectives will be pursued by means of expert interviews, dissemination activities, workshops, maintenance of a website, as well as participation in the specification and development of prototypes.

Further information in the flyer “Eradicate Faults and Backdoors in Information Technology and Facilitate Innovation”.

Workshop on “Security and Sovereignty in the Information Technology Supply Chain”, organized by KIT, Fraunhofer SIT and Télécom ParisTech, on January 12, 2017

Weber, A.; Heiser, G.; Kuhlmann, D.; Schallbruch, M.; Chattopadhyay, A.; Guilley, S.; Kasper, M.; Krauß, C.; Krüger, P. S.; Reith, S.; Seifert, J.-P.
Secure IT without vulnerabilities and back doors. TATuP - Zeitschrift für Technikfolgenabschätzung in Theorie und Praxis 29(2020)1, S. 30-36
Volltext/pdf

Weber, A.; Reith, S.; Kuhlmann, D.; Kasper, M.; Seifert, J.-P.; Krauß, C.
Open source value chains for addressing security issues efficiently efficiency policies. In: IEEE Xplore (Hrsg.): Proceedings of the 3rd Annual IEEE Workshop on Cyber Resilience and and Economics (CRE 2018), 16.-20.07.2018, Lissabon, Portugal. Lissabon, Portugal: IEEE Conference Publications 2019, S. 599-606, DOI: 10.1109/QRS-C.2018.00105
Volltext/pdf

Weber, A.; Reith, S.; Kasper, M.; Kuhlmann, D.; Seifert, J.-P.; Krauß, C.
Sovereignty in information technology. Security, safety and fair market access by openness and control of the supply chain. Karlsruhe, Wiesbaden, Singapur, Darmstadt, Berlin: KIT-ITAS, HS RheinMain, Fraunhofer Singapur/SIT, TU Berlin 2018, publ. online
Volltext/pdf Titelbild/jpg